UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide


Overview

Date Finding Count (83)
2024-06-14 CAT I (High): 5 CAT II (Med): 78 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-259350 High The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs).
V-259397 High The Windows DNS Server must protect the integrity of transmitted information.
V-259347 High The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
V-259343 High The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
V-259390 High The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.
V-259376 Medium The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
V-259374 Medium The Windows DNS Server's IP address must be statically defined and configured locally on the server.
V-259379 Medium The Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone.
V-259378 Medium The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
V-259373 Medium The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
V-259399 Medium The Windows DNS Server must maintain the integrity of information during reception.
V-259372 Medium The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
V-259414 Medium The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
V-259381 Medium The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
V-259416 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-259417 Medium Windows DNS response rate limiting (RRL) must be enabled.
V-259384 Medium Automatic Update of Trust Anchors must be enabled on key rollover.
V-259411 Medium The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-259412 Medium In the event of a system failure, the Windows DNS Server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-259387 Medium The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
V-259388 Medium The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
V-259389 Medium The Windows DNS Server must protect the authenticity of zone transfers via transaction signing.
V-259360 Medium Nonroutable IPv6 link-local scope addresses must not be configured in any zone.
V-259361 Medium AAAA addresses must not be configured in a zone for hosts that are not IPv6 aware.
V-259366 Medium The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
V-259367 Medium The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.
V-259364 Medium The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
V-259365 Medium The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
V-259344 Medium The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.
V-259345 Medium The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
V-259346 Medium NSEC3 must be used for all internal DNS zones.
V-259340 Medium The Windows DNS name servers for a zone must be geographically dispersed.
V-259341 Medium The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
V-259342 Medium Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).
V-259353 Medium In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-259348 Medium All authoritative name servers for a zone must be located on different network segments.
V-259349 Medium All authoritative name servers for a zone must have the same version of zone information.
V-259382 Medium The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
V-259392 Medium The Windows DNS Server must use an approved DOD PKI certificate authority.
V-259380 Medium The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).
V-259393 Medium The Windows DNS Server must protect secret/private cryptographic keys while at rest.
V-259351 Medium The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
V-259415 Medium The Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-259336 Medium The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
V-259368 Medium The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
V-259352 Medium For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
V-259402 Medium The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
V-259369 Medium The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.
V-259395 Medium The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.
V-259410 Medium A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.
V-259391 Medium The Windows DNS Server must protect the authenticity of query responses via DNSSEC.
V-259354 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-259385 Medium The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
V-259407 Medium The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
V-259406 Medium The Windows DNS Server must verify the correct operation of security functions upon startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
V-259405 Medium The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.
V-259404 Medium The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.
V-259403 Medium The DNS Name Server software must be configured to refuse queries for its version information.
V-259386 Medium The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.
V-259401 Medium The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.
V-259400 Medium The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
V-259375 Medium The Windows DNS Server must return data information in response to internal name/address resolution queries.
V-259383 Medium Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.
V-259377 Medium WINS lookups must be disabled on the Windows DNS Server.
V-259398 Medium The Windows DNS Server must maintain the integrity of information during preparation for transmission.
V-259371 Medium The Windows DNS Server must implement a local cache of revocation data for PKI authentication.
V-259370 Medium The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.
V-259409 Medium The Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
V-259408 Medium The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
V-259357 Medium The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
V-259356 Medium The Windows DNS Server must implement internal/external role separation.
V-259355 Medium The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.
V-259394 Medium The Windows DNS Server must only contain zone records that have been validated annually.
V-259335 Medium The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.
V-259334 Medium The Windows DNS Server must restrict incoming dynamic update requests to known clients.
V-259337 Medium The Windows DNS Server log must be enabled.
V-259363 Medium The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
V-259339 Medium The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week.
V-259338 Medium The "Manage auditing and security log" user right must be assigned only to authorized personnel.
V-259396 Medium The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.
V-259413 Medium The DNS Name Server software must run with restricted privileges.
V-259359 Medium The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
V-259358 Medium The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.